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We present a unified framework for the declarative analysis of structured communications. By relying 
on a (timed) concurrent constraint programming language, we show that in addition to the usual 
operational techniques from process calculi, the analysis of structured communications can elegantly 
exploit logic-based reasoning techniques. We introduce a declarative interpretation of the language 
for structured communications proposed by Honda, Vasconcelos, and Kubo. Distinguishing features 
of our approach are: the possibility of including partial information (constraints) in the session model; 
the use of explicit time for reasoning about session duration and expiration; a tight correspondence 
with logic, which formally relates session execution and linear-time temporal logic formulas. 

1 Introduction 

Motivation. From the viewpoint of reasoning techniques, two main trends in modeling in Service 
Oriented Computing (SOC) can be singled out. On the one hand, an operational approach focuses on 
how process interactions can lead to correct configurations. Typical representatives of this approach are 
based on process calculi and Petri nets (see, e.g., Ifl8l l3ll8ll9l). and count with behavioral equivalences 
and type disciplines as main analytic tools. On the other hand, in a declarative approach the focus is 
on the set of conditions components should fulfill in order to be considered correct, rather than on the 
complete specification of the control flows within process activities (see, e.g., lfl9l fl4l ). Even if these 
two trends address similar concerns, we find that they have evolved rather independently from each other. 

The quest for a unified approach in which operational and declarative techniques can harmoniously 
converge is therefore a legitimate research direction. In this paper we shall argue that Concurrent Con- 
straint Programming (CCP) ifTTl can serve as a foundation for such an approach. Indeed, the unified 
framework for operational and logic techniques that CCP provides can be fruitfully exploited for anal- 
ysis in SOC, possibly in conjunction with other techniques such as type systems. Below we briefly 
introduce the CCP model and then elaborate on how it can shed light on a particular issue: the analysis 
of structured communications. 

CCP [ 17J is a well-established model for concurrency where processes interact with each other by 
telling and asking for pieces of information (constraints) in a shared medium, the store. While the former 
operation simply adds a given constraint to the store (thus making it available for other processes), the 
latter allows for rich, parameterizable forms of process synchronization. Interaction is thus inherently 
asynchronous, and can be related to a broadcast-like communication discipline, as opposed to the point- 
to-point discipline enforced by formalisms such as the 71-calculus lTT5l . In CCP, the information in 
the store grows monotonically, as constraints cannot be removed. This condition is relaxed in timed 
extensions of CCP (e.g., lfl6l[TTIl ). where processes evolve along a series of discrete time units. Although 
each unit contains its own store, information is not automatically transferred from one unit to another. In 
this paper we shall adopt a CCP process language that is timed in this sense. 
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In addition to the traditional operational view of process calculi, CCP enjoys a declarative nature 
that distinguishes it from other models of concunency: CCP programs can be seen, at the same time, 
as computing agents and as logic formulas ifTTl fTTl IT2ll . i.e., they can be read and understood as logical 
specifications. Hence, CCP-based languages are suitable for both the specification and verification of 
programs. In the CCP language used in this paper, processes can be interpreted as linear-time temporal 
logic formulas; we shall exploit this correspondence to verify properties of our models. 

This Work. We describe initial results on the definition of a formal framework for the declarative 
analysis of structured communications. We shall exploit utcc |[T3l . a timed CCP process calculus, 
to give a declarative interpretation to the language defined by Honda, Vasconcelos, and Kubo in (Vj 
(henceforth referred to as HVK). This way, structured communications can be analyzed in a declarative 
framework where time is defined explicitly. We begin by proposing an encoding of the HVK language 
into utcc and studying its correctness. We then move to the timed setting, and propose HVK T , a timed 
extension of HVK. The extended language explicitly includes information on session duration, allows 
for declarative preconditions within session establishment constructs, and features a construct for session 
abortion. We then discuss how the encoding of HVK into utcc straightforwardly extends to HVK T . 

A Compelling Example. We now give intuitions on how a declarative approach could be useful in 
the analysis of structured communications. Consider the ATM example from Q Sect. 4.1]. There, an 
ATM has established two sessions: the first one with a user, sharing session k over service a, and the 
second one with the bank, sharing session h over service b. The ATM offers deposit, balance, and 
withdraw operations. When executing a withdraw, if there is not enough money in the account, then 
an overdraft message appears to the user. It is interesting to analyze what occurs when this scenario is 
extended to consider a card reader that acts as a malicious interface between the user and the ATM. The 
user communicates his personal data with the reader using the service r, which will be kept by the reader 
after the first withdraw operation to continue withdrawing money without the authorization of the user. 
A greedy card reader could even withdraw repeatedly until causing an overdraft, as expressed below: 

Reader = accept r(k J ) in k'l(id) in 



By creating sessions between them, the card reader Reader is able to receive the user's information, 
and to use it later by attempting a session establishment with the bank. Following authentication steps 
(not modeled above), the card reader allows the user to obtain the requested amount. Additional with- 
drawing transactions between the reader and the bank are defined by the recursive process R. In the 
specification above, the process Q can be assumed to send a message (through a session with the bank) 
representing the fact that the account has run out of money: Q = kbank ! [Q] ; inact. 

Even in this simple scenario, the combination of operational and declarative reasoning techniques 
may come in handy to reason about the possible states of the system. Indeed, while an operational ap- 
proach can be used to describe an operational description of the compromised ATM above, the declarative 
approach can complement such a description by offering declarative insights regarding its evolution. For 
instance, assuming Q as above, one could show that a utcc specification of the ATM example satisfies 



R(J,x) 



User 
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the linear temporal logic formula O out(kb an k,0), which intuitively means that in presence of a malicious 
card reader the user's bank account will eventually reach an overdraft status. 



Related Work. One approach to combine the declarative flavor of constraints and process calculi tech- 
niques is represented by a number of works that have extended name-passing calculi with some form 
of partial information (see, e.g., EOl |6l). The crucial difference between such a strand of work and 
CCP-based calculi is that the latter offer a tight correspondence with logic, which greatly broadens the 
spectrum of reasoning techniques at one's disposal. Recent works similar to ours include CC-Pi @ and 
the calculus for structured communications in [5 ]. Such languages feature elements that resemble much 
ideas underlying CCP (especially flU). The main difference between our approach and such works is that 
we adhere to the use of declarative reasoning techniques based on temporal logic as an effective way of 
complementing operational reasoning techniques. In [4], the reasoning techniques associated to CC-Pi 
are essentially operational, and used to reason about service-level agreement protocols. In Q, the key 
for analysis is represented by a type system which provides consistency for session execution, much as 
in the original approach in Q. 



2 Preliminaries 

2.1 A Language for Structured Communication 

We begin by introducing HVK, a language for structured communication proposed in 0. We assume the 
following conventions: names are ranged over by a, b, ... ; channels are ranged over by k,k'; variables 
are ranged over by x,y, . . . ; constants (names, integers, booleans) are ranged over by c,c', ... ; expressions 
(including constants) are ranged over by e,e' , . . . ; labels are ranged over by 1,1',... ; process variables are 

ranged over by X, Y, Finally, u,u! ,.. . denote names and channels. We shall use x to denote a sequence 

(tuple) of variables x\ . . .x n of length n = \x \ . Notation x will be similarly applied to other syntactic entities. 
The sets of free names/channels/variables/process variables of P, is defined in the standard way, and are 
respectively denoted by Jh(-), fc(-), fv(-), mdfpv(-). Processes without free variables or free channels 
are called programs. 

Definition 1 (The HVK language 0). Processes in HVK are built from: 



PQ ::= request a (k) in P 

k\[e];P 
k<il;P 

throw k[k!];P 
ife then P else Q 
inact 
I def/MnP 



Session Request 
Data Sending 
Label Selection 
Channel Sending 
Conditional Statement 
Inaction 
Recursion 



D ::= Xi{x\ki) =P\ and ■ ■ ■ and X n {x n k n ) = P„ 

Declaration for Recursion 



accept a(k) in P 

kl(x)\n P 
k>{h:P 1 || ••• || l n :P n } 
catch k(k') in P 

P\Q 
(vu)P 

X[ek] 



Session Acceptance 
Data Reception 
Label Branching 
Channel Reception 
Parallel Composition 
Hiding 

Process Variables 



Operational Semantics of HVK. The operational semantics of HVK is given by the reduction relation 
— >h which is the smallest relation on processes generated by the rules in Figure [TJ In Rule Str, the 
structural congruence =/, is the smallest relation satisfying : 1) P =/, Q if they differ only by a renaming 
of bound variables (alpha-conversion). 2) P \ inact = h P, P \ Q = h Q \ P, (P \ Q) \ R = h P \ (Q | R). 3) 
(vw)inact =/, inact, (vuu')P =/, (vu'u)P, (vw)(P | Q) =/, (vu)P | Q if x ^fv(Q), (vw)(def D in P) = h 
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(def D in ((vn)P)) if u £jv(D). 4) (def D in P) \ Q = h def D in 
def D in (def D' in P) =/, def D and D' in P if fpv(D) Dfpv(D') = 0. 



P | 2) if ^v(D) nfpv(Q) = 0. 5) 



2) 



►* (v*)(P 

if e | c 
>7,P|Pz(l </<«) 



Link request «(&:) in g | accept a(£) in P — 

COM (k\[e\;P) | (Jfc7(5)in g) — P | g[c/^ 

Label fc</,;P | : p || ••• ||/„:P„} 

Pass throw fc[/fc'];P | catch it (it') in g — > h P \ Q 

IfI if e then P else g — > h P (e | true) 

If2 if e then P else g — > h Q (e 1 false) 

Def def D in (X[eJt] | g) — def D in (P[c/x\ \Q)(e\. c,X{xk) =PeD) 

Scop P — ^ P implies {vu)P — > h (vu)P' 

Par P — >/, P' implies P | g — ^ P | g 

Str If P =/, P' and P' — > h Q' and g' = A g then P — ^ g 



Figure 1: Reduction Relation for HVK ( — >/O0. 

Let us give some intuitions about the language constructs and the rules in Figure [TJ The central idea 
in HVK is the notion of a session, i.e., a series of reciprocal interactions between two parties, possibly 
with branching, delegation and recursion, which serves as an abstraction unit for describing structured 
communication. Each session has associated a specific port, or channel. Channels are generated at 
session initialization; communications inside the session take place on the same channel. 

More precisely, sessions are initialized by a process of the form request a(k) in Q | accept a(k) in P. 
In this case, there is a request, on name a, for the initiation of a session and the generation of a fresh 
channel. This request is matched by an accepting process on a, which generates a new channel k, thus 
allowing P and Q to communicate each other. This is the intuition behind rule Link. Three kinds 
of atomic interactions are available in the language: sending (including name passing), branching, and 
channel passing (also referred to as delegation). Those actions are described by rules COM, Label, and 
PASS, respectively. In the case of COM, the expression e is sent on the port (session channel) k. Process 
k?(x) in Q then receives such a data and executes Q[c/x], where c is the result of evaluating the expression 
e. The case of PASS is similar but considering that in the constructs throw k[k'];P and catch k{k') in Q, 
only session names can be transmitted. In the case of Label, the process k < /,;P selects one label and 
then the corresponding process P,- is executed. The other rules are self-explanatory. 

For the sake of simplicity, and without loss of generality (due to rule 5 of =/,), in the sequel we shall 
assume programs of the form def D in P where there are not procedure definitions in P. 

2.2 Timed Concurrent Constraint Programming 

Timed concurrent constraint programming (tec) lfl6l extends CCP for modeling reactive systems. In 
tec, time is conceptually divided into time units (or time intervals). In a particular time unit, a tec 
process P gets an input (i.e. a constraint) c from the environment, it executes with this input as the 
initial store, and when it reaches its resting point, it outputs the resulting store d to the environment. The 
resting point determines also a residual process Q which is then executed in the next time unit. It is worth 
noticing that the final store is not automatically transferred to the next time unit. 

The utcc calculus |fl~3l extends tec for reactive systems featuring mobility. Here mobility is un- 
derstood as the dynamic reconfiguration of system linkage through communication, much like in the 
71-calculus lfl5ll . utcc generalizes tec by considering a parametric ask operator of the form (abs x;c)P, 
with the following intuitive meaning: process P*\t/x\ is executed for every term t such that the current 
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store entails an admissible substitution c [?/.?]. This process can be seen as an abstraction of the process 
P on the variables x under the constraint (or with the guard) c. 

utcc provides a number of reasoning techniques: First, utcc processes can be represented as par- 
tial closure operators (i.e. idempotent and extensive functions). Also, for a significant fragment of the 
calculus, the input-output behavior of a process P can be retrieved from the set of fixed points of its 
associated closure operator lfT2l . Second, utcc processes can be characterized as First-order Linear-time 
Temporal Logic (FLTL) formulas iTTOl . This declarative view of the processes allows for the use of the 
well-established verification techniques from FLTL to reason about utcc processes. 

Syntax. Processes in utcc are parametric in a constraint system liTTl which specifies the basic con- 
straints that agents can tell or ask during execution. It also defines an entailment relation "h" specifying 
interdependencies among constraints. Intuitively, c h d means that the information in d can be deduced 
from that in c (as in, e.g., x > 42 h x > 0). 

The notion of constraint system can be set up by using first-order logic (see e.g., [111). We assume a 
first-order signature £ and a (possibly empty) first-order theory A, i.e., a set of sentences over £ having at 
least one model. Constraints are then first-order formulas over E. Consequently, the entailment relation 
is defined as follows: c h d if the implication c =>■ d is valid in A. 

The syntax of the language is as follows: 

P,Q := skip | tell(c) | (abs x;c)P \ P || Q | (localx;c)P | nextP | unless c next P \ \P 

with the variables in x being pairwise distinct. 

A process skip does nothing; a process tell(c) adds c to the store in the current time interval. A 
process Q = (abs x;c)P binds the variables x in P and c. It executes P\t/x] for every term 7 s.t. the 
current store entails an admissible substitution over c\t/x]. The substitution \t/x\ is admissible if |x| = \t\ 
and no x,- in x occurs in 7. Furthermore, Q evolves into skip at the end of the time unit, i.e., abstractions 
are not persistent when passing from one time unit to the next one. P \\ Q denotes P and Q running in 
parallel during the current time unit. A process (localx; c)P binds the variables x in P by declaring them 
private to P under a constraint c. If c = true, we write (localx) P instead of (localx; true) P. The unit 
delay nextP executes P in the next time unit. The time-out unless c nextP is also a unit delay, but P is 
executed in the next time unit iff c is not entailed by the final store at the current time unit. Finally, the 
replication !P means P || nextP || next 2 P || . . ., i.e., an unbounded number of copies of P but one at a 
time. We shall use ! r n iP to denote bounded replication, i.e., P || nextP || ... || next" J P. 

From a programming language perspective, variables x in (abs x; c) P can be seen as the formal 
parameters of P. This way, recursive definitions of the form X(x) d = P can be encoded in utcc as 

& [[X (x) d = P]] = ! (abs x; call x (x) ) P ( 1 ) 

where call x is an uninterpreted predicate (a constraint) of arity |x|. Process P is obtained from P by 
replacing recursive calls of the form X(t) with tell(call x (7)). Similarly, calls of the form X(T) in other 
processes are replaced with tell (call x {7)). 

Operational Semantics. The operational semantics considers transitions between process-store con- 
figurations (P, c) with stores represented as constraints and processes quotiented by the structural con- 
gruence = u defined below. We shall use y, Y, ... to range over configurations. 

The semantics is given in terms of an internal and an observable transition relation; both are given 
in Figure|2l The internal transition (P,d) — > (P',d') informally means "P with store d reduces, in one 
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Rt R P 5 — ■ ! ; Rii 

(tell(c),d) — > (skip, d Ac) (P\\Q,c) — >{P'\\Q,d) (unless c next P, d) — > (skip,*/) 

(P, c A (3xt/)) — ► (P',c' A (3crf)) d h c[F/x] [f /.?] is admissible 

r l „ z ; ~ , v . „ » „, , . m R a 



((locals c)P,d) — ► ((localx;c')P',dA3xc') ((abs x;c)P,d) — >{P\t/x] || (abs x; c A * f f ) P, </) 



Rs - if 7i =n Yi and 72 = n Y 2 (IP.d) — > (P || next!P,rf) 



skip if P = skip or P = (abs x\ c) Q 

(p.c) _>* ( Q ,d) -h where = i m) ii P(p 2) if p = p ii p 2 

P iML F(0 ] I (localx)P(e) ifP = (localx; c)Q 

1 Q if P = next Q or P = unless c next Q 

Figure 2: Operational Semantics for utcc. In Ra, x j^t (x syntactically different from t) denotes 
Vl<i<\x\ x i 7^ { i- ^ 1*1 = 0, x^t is defined as false. 



internal step, to P' with store J'". We sometimes abuse of notation by writing P — > P' when d, d' are 

unimportant. The observable transition P == > R means "P on input c, reduces in one time unit to R 
and outputs d". The latter is obtained from a finite sequence of internal transitions. 

In rule R$, the structural congruence = u is the smallest congruence satisfying: 1) P = u Q if they differ 
only by a renaming of bound variables. 2) P || skip =„ P. 3) P \\ Q = u Q \\ P, P \\ (Q \\ R) = u (P \\ Q) \\ R. 
4) P || (localx;c)£ =„ (localx; c)(P || Q) \£x<£fv(P). 5) (localx; c) (local y\d)P =„ (local x; y ;c A d)P 
if xTiy = and y £fv(c). Extend = u by decreeing that (P,c) = u (Q,c) iff P = u Q. 

Definition 2 (Output Behavior). Let s = c\.cx....c n be a sequence of constraints. If P = Pi true,t \ 

P2 ^ ' ~) ...P n ^ ' r - P n +\ =u Q we shall write P s - > Q. If s = C1.c2.c3... is an infinite sequence, 
we omit Q in P * > Q. The output behavior ofP is defined as o{P) = {s\P s > }. Ifo(P) = o(Q) 
we shall write P ~° Q. Furthermore, ifP > Q and s is unimportant we simply write P > * Q. 



Logic Correspondence. Remarkably, in addition to this operational view, utcc processes admit a 
declarative interpretation based on Pnueli's first-order linear-time temporal logic (FLTL) iflOl . This is 
formalized by the encoding below, which maps utcc processes into FLTL formulas. 
Definition 3. Let TL[[-]] a map from utcc processes to FLTL formulas given by: 

TL[[skip]] = true TL[[tell(c)]] = c 

TL[[P||2]] = TL[[P]]ATL[[g]] TL[[(abs?; C )P]] = W(c =► TL[[P]]) 

TL[[(localf; c)P\ = 3j?(cATL[pj) TL[[nextP]] = oTL[[P]] 

TL[[unlesscnextP]] = c-VoTL[[P]] TL[[!P]] = □TL[[P]] 

Modalities oF and DP represent that F holds next and always, respectively. We use the eventual 
modality OF as an abbreviation of -O-1F. 

The following theorem relates the operational view of processes with their logic interpretation. 

Theorem 1 (Logic correspondence lfT3l0 . Let TL[[-]] be as in Definition^ P a utcc process and s = 
C1.C2.C3... an infinite sequence of constraints s.t. P - > . For every constraint d, it holds that: 
TL[[P]] h Od iff there exists i > 1 s. t. a h d . 
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(c,c ) 

Recall that an observable transition P > Q is obtained from a finite sequence of internal transi- 
tions (rule R ). We notice that there exist processes that may produce infinitely many internal transitions 
and as such, they cannot exhibit an observable transition; an example is (abs x;c(x))tell(c(x+ 1)). The 
utcc processes considered in this paper are well-terminated, i.e., they never produce an infinite number 
of internal transitions during a time unit. Notice also that in the Theorem [T] the process P is assumed to 
be able to output a constraint c, for all time-unit i > 1 . Therefore, P must be a well-terminated process. 

Derived Constructs. Let out be an uninterpreted predicate. One could attempt at representing the 
actions of sending and receiving as in a name-passing calculus (say, k\ [e\ and k?(x)m P, resp.) with the 
utcc processes tell(out(&,?)) and (abs x; out(k,x))P, respectively. Nevertheless, since these processes 
are not automatically transferred from one time unit to the next one, they will disappear right after the 
current time unit, even if they do not interact. To cope with this kind of behavior, we shall define versions 
of (abs x;c)P and tell(c) processes that are persistent in time. More precisely, we shall use the process 
( wait x;c) do P, which transfers itself from one time unit to the next one until, for some 7, cff/x] is 
entailed by the current store. Intuitively, the process behaves like an input that is active until interacting 
with an output. When this occurs, the process outputs the constraint c\t/x], as a way of acknowledging 
the successful read of c. When \x\ = 0, we shall write whenever c do P instead of ( wait x; c) do P. 
Similarly, we define teU(c) for the persistent output of c until some process "reads" c. These processes 
can be expressed in the basic utcc syntax as follows (in all cases, we assume stop, go £fv(c))\ 

teU(c) d = (\oca\go,stop)( tell(out'(go)) | !when out'(go) dotell(c) || 

! unless out' (stop) nexttell(out'(go)) | 
! when c do ! tell ( out' (stop))) 

(waitx;c) do P d = f (local st op, go) ( tell(out'(go)) || ! unless out'(stop) nexttell(out'(go)) 

|| ! (abs x; c A out' (go)) (P || ! te\\(out' (stop))) 

( wait x; c) do P d = (wait x ; c) do (P || tell(c) ) 

Notice that once a pair of processes tell and wait interact, their continuation in the next time unit is 
a process able to output only a constraint of the form 3 v out'(;c) (e.g., 3 stop (ont' (stop))). We define the 
following equivalence relation that allows us to abstract from these processes. 

Definition 4 (Observables). Let ~° be the output equivalent relation in Definition [2] We say that P and 
Q are observable equivalent, notation P ~ 0&v Q, ifP \\ ! tell(3 v out'(^:)) ~° Q \\ ! tell^-out'^)). 

Using the previous equivalence relation, we can show the following. 
Proposition 1. Assume that c(x) is a predicate symbol ofarity \x\. 

1. If dlf c\t/x] for any t then ( wait x ; c) do P =^= > ( wait x ; c) do P. 

2. IfP = u teJ!(c(F)) || (wait x;c(x)) do next£ then P ^^~<> bs Q\t/xj. 

3 A Declarative Interpretation for Structured Communications 

The encoding [[•]] from HVK into utcc is defined in Table[3] Two noteworthy aspects when considering 
such a translation are determinacy and timed behavior. Concerning determinacy, it is of uttermost impor- 
tance to recall that while utcc is a deterministic language, HVK processes may exhibit non-deterministic 
behavior. Moreover, while HVK is a synchronous language, whereas utcc is asynchronous. Consider, 
for instance, the HVK process: 

P = k\[e];Q l \k\[e>];Q 2 \kl(x)mQ 3 
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[[request a (k) in P]] = (locals) (tell(req(a,/;)) || whenever &cc(a,k) do next[[P]]) 
[[accept a (k) in P}] = ( wait k;req(a,k)) do (tell(acc(fl,fc)) || next [[P]]) 



Ikl [e\ ; P] = tell( out (/t, e) ) 1 1 whenever out e) do next [[P]] 
p? (f ) in P] = (wait f ; out (k, x) ) do next [[P]] 



P</;PJ = tell(sel(yt,/)) || whenever sel(k.l) do next[[P] 

[[£>{/i :Pi || ... || /„ :P„}}} = (wait/;sel(/t,/)) do n when / = /,■ do next [[P,]] 

i<;<« 

[[throw fe^iP] = tell(outk(fc,fe / )) || whenever outk(fc,fc') donext[[PH 
[[catch k(k' ) in P]j = whenever outk (A:, /f ) do next JP] 

[[if e then P else 2 ]] = when e J, true do next [[P]] | when e | false do next [[Q]} 

lP\Qi = Mil [[2E 
[[inact]] = skip 

[[(vu)P]] = (locals) IP] 

[[defDinP]] = n ^[[Xi(*A)]]P 

X : (x : kt)eD 

Table 3: An Encoding from HVK into utcc. ^|-J and P are denned in Equation [T] 



Process P can have two possible transitions, and evolve into/:! [e']\ Qj \ Q^\e /x] or into k\\e]\Q\ \ Q^[e' /x\. 
In both cases, there is an output that cannot interact with the input k?(x) in Q^. In utcc, inputs are repre- 
sented by abstractions which are persistent during a time unit. As a result, in the encoding of P we shall 
observe that both outputs react with the same input, i.e. that [[P]] > [[<23 [?/.?]]] || [83 /^]]]- 

As for timed behavior, it is crucial to observe that while HVK is an untimed calculus, utcc provides 
constructs for explicit time. In the encoding we shall advocate a timed interpretation of HVK in which 
all available synchronizations between processes occur at a given time unit, and the continuations of 
synchronized processes will be executed in the next time unit. This will prove convenient when showing 
the operational correspondence between both calculi, as we can relate the observable behavior in utcc 
and the reduction semantics in HVK. 

Let us briefly provide some intuitions on [[■]]. Consider HVK processes P = request a(k) in P' and 
Q = accept a(x) in Q 1 . The encoding of P declares a new variable session k and sends it through the 
channel a by posting the constraint req(a,k). Upon reception of the session key (local variable) gen- 
erated by [[P]], process [[2]] adds the constraint &cc(a,k) to notify the acceptance of k. They can then 
synchronize on this constraint, and execute their continuations in the next time unit. The encoding of 
label selection and branching is similar, and uses constraint sel(k,l) for synchronization. We use the 
parallel composition Y\ when / = do next [[p]] to execute the selected choice. Notice that we do not 

1 <i<n 

require a non-deterministic choice since the constraints / = are mutually exclusive. As in [7], in the 
encoding of if e then P else Q we assume an evaluation function on expressions. Once e is evaluated, 4- e 
is a constant boolean value. The encoding of def D in P exploits the scheme described in Equation Q] 

Operational Correspondence. Here we study an operational correspondence property for our encod- 
ing. The differences with respect to (a)synchrony and determinacy discussed above will have a direct 
influence on the correspondence. Intuitively, the encoding falls short for HVK programs featuring the 
kind of non-determinism that results from "uneven pairings" between session requesters/providers, label 
selection/branching, and inputs/outputs as in the example above. 
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We thus find it convenient to appeal to the type system of HVK to obtain some basic determinacy 
of the source terms. Roughly speaking, the type discipline in Q ensures a correct pairing between 
actions and co-actions once a session is established. Although the type system guarantees a correct 
match between (the types of) session requesters and providers, it does not rule out the kind of non- 
determinism induced by different orders in the pairing of requesters and providers. We shall then require 
session providers to be always willing to engage into a session. This is, given a channel a, we require 
that there is at most one accept process (possibly replicated) on a that is able to synchronize with every 
process requesting a session on a. Notice that this requirement is in line with a meaningful class of 
programs, namely those described by the type discipline developed in (HQ]]. 

Before presenting the operational correspondence, we introduce some auxiliary notions. 

Definition 5 (Processes in normal form). We say that a HVK process P is in normal form if takes the 
form inact or def D in Vu(Qi \ ■■■ \ Q n ) where neither the operators "v" and "\ " nor process variables 
occur in the top level of <2i , • • • ,Q n - 

The following proposition states that given a process P we can find a process P' in normal form, such 
that: either P' is structurally congruent to P, or it results from replacing the process variables at the top 
level of P with their corresponding definition (using rule Def). 

Proposition 2. For all HVK process P there exists P' in normal form s.t. P — ^\=h P' only using the 
rules Def and Str in Figure\J\ 

Proof. Let P be a process of the form def D in Q where there are no procedure definitions in Q. By 
repeated applications of the rule Def, we can show that P — >* h P' where P' does not have occurrences 
of processes variables in the top level. Then, we use the rules of the structural congruence to move the 
local variables to the outermost position and find P" =/, P' in the desired normal form. □ 

Notice that the rules of the operational semantics of HVK are given for pairs of processes that can 
interact with each other. We shall refer to each of those pairs as a redex. 

Definition 6 (Redex). A redex is a pair of complementary processes composed in parallel as in: 



Notice that a redex in HVK synchronizes and reduces in a single transition as in (kl[e\;P) \ (k?(x)in Q) 
— >h P | Q[e/x\. Nevertheless, in utcc, the encoding of the processes above requires several internal 
transitions for adding the constraint ont(k,e) to the current store, and for "reading" that constraint by 
means of ( wait x; out (k,x)) do next[[<2]] to later execute next [[Q [e/x]]]. We shall then establish the op- 
erational correspondence between an observable transition of utcc (obtained from a finite number of 
internal transitions) and the following subset of reduction relations over HVK processes: 

Definition 7 (Outermost Reductions). Let P =h def D in vx{Q\ | • • • | Q n ) be an HVK program in normal 
form. We define the outermost reduction relation P > j r P' as the maximal sequence of reductions 
P — >l P' =h def D in vx'(Q[ \ ■■■ \ Q' n ) such that for every i <E {1, ..«}, either 

1. £2, = if e then 7?! else /? 2 — H R\/2 = Q\; 

2. for some j € {1, ..n}, Qi\Qj is a redex such that Qi\Qj — >h vy(Q'[\Q'j), with y C x'; 

3. there is no k 6 {1, ..n} such that Qi \ is a redex and Qj =h Q'j. 



(1) request a(k) in P \ accept a(k) in Q 

(2) k\[e\;P \ kl(x)mQ 



(3) throw k[k'];P | catch k(k') in Q. 

(4) k<\l;P | k>{h:Pi || •■■\\l„:P„ 



} 
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One may argue that the above-presented definition may rule out some possible reductions in HVK. 
Returning to the concerns about determinacy, an outermost reduction filters out cases where there are 
more than one possible reduction for a set of parallel processes (i.e.: the parallel composition of two 
outputs and one input with the same session key). The use of outermost reductions gives us a subset of 
possible reductions in HVK that keeps synchronous processes and discard processes that are not going 
to interact in any way (recall that in the typing discipline of HVK the composition of an input and an 
output with the same session key will consume the channel used; hence, every other process sending 
information over the same session will not have any complementary process to synchronize with). 

In the sequel we shall thus consider only HVK processes P where for n > 1, if P =/, P\ > /, 
Pi =^/ ! P„ and P =,,/>( P' n then Pi = h Pi for all ie{l,..,n}, 

i.e., P is a deterministic process. 

Theorem 2 (Operational Correspondence). Let P, Q be deterministic HVK processes in normal form and 
R,S be utcc processes. It holds: 

1 ) Soundness: IfP => h Q then, for some R, |Pj R ~ ofa 

2) Completeness: If [[P]} S then, for some Q, P =^ Q and |Q] ~° bs S. 

Proof Assume that P = h def D in vx(Qi | • ■ • | Q„) and Q = h def D in vx'(Q[ \ ■ ■ ■ \ Q' n ). 

1. Soundness. Since P > ] x Q there must exist a sequence of derivations of the form P =/, Pi — >h 
P2 — >h ... — >h P n =h Q- The proof proceeds by induction on the length of this derivation, with a 
case analysis on the last applied rule. We then have the following cases: 

(a) Using the rule iFl. It must be thecase that there exists <2; =/, ifethen/?i else R2 and 2,- — >h 
^1 =h Q'i an d e I true. One can easily show that when e \. true do next [[<2j]] > [[<2-]]. 

(b) Using the rule Ir2 Similarly as for IfI. 

(c) Using the rule LINK. It must be the case that there exist /, j such that Qj =/, request a(k) in 2- 

and Qj =/ t accept a(x) in Q'j and then Qi \ Qj — >h (vk)(Q'; \ Q'j). We then have a derivation 

(local k; c) (/?{ || whenever acc(a.fc) do next [[gj]] | 

(wait k';req{a,k')) do (tell(acc(a,/t')) || next ( [g' ; -]] ) ) 
(local k; c' ) (R'j \\ whenever &cc(a,k) do next [gj] || 

R'j || ten(acc(c,*)) || next([[2^[V*:']]]) 
(localfc;c") || R'j \\ next[[e;]] || neMtqgjW*)!) ^ 

where c = req(a,k) 1 c' = c A req(a,k), c" = c' A &cc(a,k) A &cc(a,k) and R' { , R'j are the pro- 
cesses resulting after the interaction of the processes in the parallel composition tell(req(a, k)) 
( wait k';req(a,k')) do •••,i.e.: 

R'j = u (local go, st op; out' (go) A out' (stop) A c(7)) 

next [unless out' (stop) next tell(out' (go)) \\ next!tell(out'(5fop)) 
R'j = u (local st op' , go'; out' (go 1 ) A c(t) A out'(.sfop'))next ! tell(out'(ifop')) 
|| next! unless out' (stop') nexttell(out'(go')) 
II (abs x;c A out '(go') Axf 7)(Q \\ tell(c(7)) ||!tell(out'(itop')) 
|| next!(absf;cAout'(go'))(e || teU(c(?)) || ! tell ( out '(rfop')) 

We notice that R'j \ \ R'j-/-> and it is a process that can only output the constraint out'^) where 
x is a local variable. By appealing to Proposition [T] we conclude [[<2,-]] || [[<2/]] y ^ obs 
(locals) IQ'j}). 

(d) The cases using the rules Label and PASS can be proven similarly as the case for LINK. 



[[Qi]} II iGd 
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2. Completeness. Given the encoding and the structure of P, we have a utcc process R = [[P]] s.t. 

7?=„(localf)([[£i]] || ... || lQ n l). 

Let Rj = [[2,]] for 1 < i < n. By an analysis on the structure of R, if /?, — > Pj then it must be the 
case that either (a) /?, = when e do next [[(?■]] and R'j = next [[Q'$ or (b) (R h c) — > (R^cAd) where 
d is a constraint of the form req(-), sel(-), out(-), or outk(-). In both cases we shall show that 
there exists a R'( such that R t — >* R"~h such that Q t — > h Q\ and R" = next \Q'^. 

(a) Assume that /?; = when e \. true do next [[<2j]] for some <2j. Then it must be the case that 
Qi = ife then Q\ else 2" . If e I true we then have R" = next [[<2/]]- The case when e | false 
is similar by considering R { = when e J, false do 2-. 

(b) Assume now that (/?,-, c) — )• (R'j,cAd) where <i is of the form req(-), sel(-), out(-) or 
outk(-). We proceed by case analysis of the constraint d. Let us consider only the case d = 
3 J t(req(a,^)); the cases in which d takes the form sel(-), out(-), or outk(-) are handled sim- 
ilarly. If d = 3i l (req(a,k)) for some a, then we must have that Qi =/, request a(k) in Q\ for 
some i. If there exists j such that Qj =/, accept a(x) in Q'-, one can show a derivation similar 
to the case of the rule Link in soundness to prove that /?,• || Rj — >-*~° (locals) (next [|2j]] 
next [[<2y]])- If there is no Qj such that Qj \Qj forms a redex, then one can show by using (1) 
in Proposition Q] that Rj > ~ obs R t . 

□ 

4 A Timed Extension of HVK 

We now propose an extension to HVK in which a bundled treatment of time is explicit and session closure 

is considered. More precisely, the HVK T language arises as the extension of HVK processes (Def. []} with 

refined constructs for session request and acceptance, as well as with a construct for session abortion: 

Definition 8 (A timed language for sessions). HVK T processes are given by the following syntax: 

P ::= request a(k) during m in P Timed Session Request 

accept a(k) given c in P Declarative Session Acceptance 

{ the other constructs, as in Def. fJ] } 
kill q Session Abortion 

The intuition behind these three operators is the following: request a{k) during m in P will request 
a session k over the service name a during m time units. Its dual construct is accept a{k) given c in P: 
it will grant the session key k when requested over the service name a provided by a session and a 
successful check over the constraint c. Notice that c stands for a precondition for agreement between 
session request and acceptance. In c, the duration m of the corresponding session key k can be referenced 
by means of the variable dur^. In the encoding we syntactically replace it by the variable corresponding 
to m. Finally, killer will remove cu from the valid set of sessions. 

Adapting the encoding in Table [3] to consider HVK T processes is remarkably simple (see Table [4]). 
Indeed, modifications to the encoding of session request and acceptance are straightforward. The most 
evident change is the addition of the parameter m within the constraint req(a,k,m). The duration of the 
requested session is suitably represented as a bounded replication of the process defining the activation 
of the session k represented as the constraint act (A:). The execution of the continuation [[/>]] is guarded 
by the constraint act(&) (i.e. P can be executed only when the session k is valid). Thus, in the encoding 
we use the function %(P) to denote the process behaving as P when the constraint d can be entailed 
from the current store, doing nothing otherwise. More precisely: 
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[[request a(k) during m in P]] = (locals) tell(req(a,fc,m)) j| 

whenever acc(a,k) do next(tell(act(fc)) |] ^ ac t(A:)([[-f]]) II 

! [,„]unless kill(£) next tell (act (A;))) 
[[accepta(fc) givencin/>]] = ( wait k;req(a,k,m) Ac\m/dur t ]) do (tell(acc(a,fc)) || next^ act m([[P]])) 
[[kill/t]] = !tell(kill(/t)) 



Table 4: The Extended Encoding. 9?d(P) is in Definition [9] 



Definition 9. Let & : "rf — > Procs — > Procs be defined as 



Sfe(skip) 
S&(tell(c)) 



^(nextg) 

% (unless c nextg) 



=skip 

=when d do tell(c) 
=when d do next%(<2) 
=when d do unless c next%(Q) 



%{P\ II ft) 
SfeOG) 

Sf d ((abs*;c)g) 
%((localf;c)(2) 



=%(ft)l|%(ft) 
=lSfc(G) 

=(absx;c)%(e) ifliHd) 

=(localf;c)%(g) ( /3c ^ /v(rf) 



On the side of session acceptance, the main novelty is the introduction of c\}njdur^\. As explained 
before, we syntactically replace the variable dur^ by the corresponding duration of the session m. This 
is a generic way to represent the agreement that should exist between a service provider and a client; for 
instance, it could be the case that the client is requesting a session longer than what the service provider 
can or want to grant. 



4.1 Case Study: Electronic booking 

Here we present an example that makes use of the constructs introduced in HVK T . 

Let us consider an electronic booking scenario. On one side, consider a company AC which offers 
flights directly from its website. On the other side, there is a customer looking for the best offers. In this 
scenario, the customer establishes a timed session with AC and asks for a flight proposal given a set of 
constraints (dates allowed, destination, etc.). After receiving an offer from AC, the customer can refine 
the selection further (e.g. by checking that the prices are below a given threshold) and loops until finding 
a suitable option, that he will accept by starting the booking phase. One possible HVK T specification of 
this scenario is described in Table [5] 



Customer = request ofc(fc) duringmin (k\[bookingdata];Select(k)) 
Select(k) = fc?(o//er)in (if(o/ fer.price < 1500) then k <} Contract; else Select (k) ) 
AC = accept ob(k) given dur^ < MAX. TIME in (kl(bookingData) in 

(vu)k\[u];k\> {Contract : Accept \\ Reject : kilU}) 

Table 5: Online booking example with two agents. 



In a second stage, the customer uses an online broker to mediate between him and a set of airlines 
acting as service providers. Let n be the number of service providers, and consider two vectors of fixed 
length: Offers, which contains the list [Offerso, Offers . . . , Offers,,] of offers received by a customer, 
and SP, which contains the list of trusted services. First, the customer establishes a session with the 
broker for a given period m; later on, he/she starts requesting for a flight by providing the details of his/her 
trip to the broker. On the other side, the broker will look into his pool of trusted service providers for the 
ones that can supply flights that suit the customer's requirements. All possible offers are transferred back 
to the customer, who will invoke a local procedure Sel (not specified here) that selects one of the offers 
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by performing an output on name a. Once an offer is selected, the broker will allow a final interaction 
between the customer and the selected service. He does so by delegating to the customer the session 
key used previously between him and the chosen service provider. Finally, the broker proceeds to cancel 
all those sessions concerning the discarded services. An HVK T specification of this scenario is given in 
Table [6] where, for the sake of readability, processes denoting post-processing activities are abstracted 
from the specification. 

A notable advantage in using HVK T as a modeling language is the possibility of exploiting timed 
constructs in the specification of service enactment and service cancellation. In the above scenario it is 
possible to see how HVK T allows (i) to effectively take explicit account on the maximal times accepted 
by the customer: the composition of nested services can take different speeds but the service broker 
will ensure that customers with low speeds are ruled out of the communication; and (ii) to have a more 
efficient use of the available resources: since there is not need to maintain interactions with discarded 
services, the service broker will free those resources by sending kill signals. 

(a) Customer and Service Provider (b) Online Broker 

Customer = request ob(k) during m in (k\ [bookingdata] ; Broker = accept ob(k) given m < 500ms in ( 
kl(n) in ( kl(bookingData) in k\[\SP\] ; 

U (Offers i) in ( (vu) ft (request SP;(fe-) during Nin 

ien ie\SP\ 

Sel (Offers); a?(*) in kl[x\; k\\\bookmgData\, 
catch k(k') in ^(offen) in ( M ![o#er ; ]; inact || S(u,k))) 

k 1 ! [PaymentDetails] ; inact) ) ) ) j n de f x (Offers, k\ , . . . , k' n ) = P in 

n (if (y = offersi) then (throw k[k^\;PostProc) else 
SP= accept SPi(k'j) given A' < 300ms in ( ie\SP\ 

k!p.(bookingData) in kill/cj \\P(X- {offers i,k\}))) 

k\\[offer\; 

^.(payment Details) in inact) S(u,k) = n ("?(«#<?'•/) in inact || fc![q//er,-]; inact) 

ie\SP\ 



Table 6: Online booking example with online broker. 



4.2 Exploiting the Logic Correspondence 

To exploit the logic correspondence we can draw inspiration from the constraint templates put forward in 
|[T4l . a set of LTL formulas that represent desirable/undesirable situations in service management. Such 
templates are divided in three types: existence constraints, that specify the number of executions of an 
activity; relation constraints, that define the relation between two activities to be present in the system; 
and negation constraints, which are essentially the negated versions of relation constraints. 

By appealing to Theorem [TJ our framework allows for the verification of existence and relation 
constraints over HVK T programs. Assume a HVK T program P and let F = TL[[[[P]]]] (i.e., the FLTL 
formula associated to the utcc representation of P). For existence constraints, assume that P defines a 
service accepting requests on channel a. If the service is eventually active, then it must be the case that 
F h 03 J t(acc(a,A:)) (recall that the encoding of accept adds the constraint acc(a,fc) when the session 
k is accepted). A slight modification to the encoding of accept would allow us to take into account the 
number of accepted sessions and then support the verification of properties such as F h 0{N se ssions{a) = 
Af), informally meaning that the service a has accepted N sessions. This kind of formulas correspond to 
the existence constraints in lfl4l Figure 3.1.a-3.1.c]. Furthermore, making use of the guards associated 
to ask statements, we can verify relation constraints as eventual consequences over the system. Take 
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for instance the specification in Table [5] Let Accept be a process that outputs "ok" through a session h. 
We then may verify the formula F h 3 u (u. price < 1.500 => out (h, ok)). This is a responded existence 
constraint describing how the presence of an offer with price less or equal than 1.500 would lead to an 
acceptance state. 

5 Concluding Remarks 

We have argued for a timed CCP language as a suitable foundation for analyzing structured communi- 
cations. We have presented an encoding of the language for structured communication in [7 ] into ut cc, 
as well as an extension of such a language that considers explicitly elements of partial information and 
session duration. To the best of our knowledge, a unified framework where behavioral and declarative 
techniques converge for the analysis of structured communications has not been proposed before. 

Languages for structured communication and CCP process calculi are conceptually very different. 
We have dealt with some of these differences (notably, determinacy) when stating an operational cor- 
respondence property for the declarative interpretation of HVK processes. We believe there are at least 
two ways of achieving more satisfactory notions of operational correspondence. The first one involves 
considering extensions of utcc with (forms of) non-determinism. This would allow to capture some 
scenarios of session establishment in which the operational correspondence presented here falls short. 
The main consequence of adding non-determinism to utcc is that the correspondence with FLTL as 
stated in Theorem Q] would not longer hold. This is mainly because non-deterministic choices cannot 
be faithfully represented as logical disjunctions (see, e.g., fiTTl ). While a non-deterministic extension to 
tec with a tight connection with temporal logic has been developed (ntcc iTTTIO . it does not provide for 
representations of mobile links. Exploring whether there exists a CCP language between ntcc and utcc 
combining both non-determinism and mobility while providing logic-based reasoning techniques is in- 
teresting on its own and appears challenging. The second approach consists in defining a type system for 
HVK and HVK T processes better suited to the nature of utcc processes. This would imply enriching the 
original type system in |7] with e.g., stronger typing rules for dealing with session establishment. The 
definition of such a type system is delicate and needs care, as one would not like to rule out too many 
processes as a result of too stringent typing rules. An advantage of a type system "tuned" in this way 
is that one could aim at obtaining a correspondence between well-typed processes and logic formulas, 
similarly as the given by TheoremQ] In these lines, plans for future work include the investigation of ef- 
fective mechanisms for the seamless integration of new type disciplines and reasoning techniques based 
on temporal logic within the elegant framework provided by (timed) CCP languages. 

The timed extension to HVK presented here includes notions of time that involve only session en- 
gagement processes. A further extension could involve the inclusion of time constraints over input/output 
actions. Such an extension might be useful to realistically specify scenarios in which factors such as, e.g, 
network traffic and long-lived transactions, prevent interactions between services from occurring in- 
stantaneously. Properties of interest in this case could include, for instance, the guarantee that a given 
interaction has been fired at a valid time, or that the nested composition of services does not violate a 
certain time frame. We plan to explore case studies of structured communications involving this kind of 
timed behavior, and extend/adjust HVK T accordingly. 
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